Tag Archives: ransomware

Ransomware Grows More Pernicious

Ransomware attacks and ransom payments for data continue to spike, with The New York Times reporting a 40% increase between 2018 and 2019.

As cyber threats go, ransomware is especially insidious, because these attacks, hitting everything from municipalities to banks to small businesses, often go unreported. That means less shared information and fewer actionable insights for insurers or insureds trying to arm against an ever-morphing enemy.

We saw a gap — leading incident response experts who work with the cyber insurance industry didn’t have a forum to exchange information about what was happening on the front lines of these attacks.

We needed a way to get our arms around this problem to better support our cyber insurance carrier partners, a way to keep up to date and better understand the data trends from the expert’s vantage point at ground level.

Enter the Cyber Insurance Ransomware Advisory Group, which NetDiligence assembled in early 2020. Featuring 20 members from leading breach incident response service providers — consisting of Arete, Charles River Associates, Crowdstrike, Kroll, Kivu, Tracepoint, MOXFIVE, Tetra Defense and others.

The group meets quarterly and at select NetDiligence Cyber Risk Summit conferences to discuss emerging trends and best practices and make these insights available to the cyber insurance industry.

The Emergence of the Maze Variant

One of the key takeaways from the inaugural meeting was the emergence of the Maze variant and a “new normal” of data exfiltration, often including stolen private customer information.

Whereas previous generations of ransomware have been designed by threat actors to encrypt data and extort an organization for bitcoin in exchange for the decryption key, Maze significantly increases the pressure on the victimized organization and threatens to make the stolen data public by releasing it on the internet.

This has magnified the potential loss exposure and has led to a host of new privacy data breach risks for insureds — with accompanying notification requirements.

Even clients capable of restoring files from secure backups may find themselves subject to privacy data breach impacts, such as the need to comply with state breach notification laws that include attorneys general and the victimized population, which significantly increases claim costs.

See also: 5 Questions That Thwart Ransomware  

Ryuk Is Still Ever-Present

Another dangerous variant, Ryuk, continues to plague organizations with its tendency to attack both servers and workstations.

Experts expressed concern about organizations responding to Ryuk attacks with complete network shutdowns rather than impact isolation.

When assisting small to medium-sized enterprises (SMEs), experts often find it challenging to convince management of the necessity of deploying automated malware eradication and remediation tools and to ultimately convince these organizations to keep endpoint protection in place once the immediate incident is resolved.

What Other Ransomware Concerns Are Out There?

Other specific ransomware types encountered include DopplePaymer, Sodinokibi, Revel and Netwalker, as well as the continued rise of ransomware as a service (RaaS).

During the COVID-19 global pandemic, the impact of ransomware could prove devastating to an organization that may already be struggling.

Many of the widely held notions about ransomware are changing, we found. After paying the ransom, some organizations may never receive the promised decryption key (in the past, certain threat actors were believed to be reliable).

Even with reliable threat actors, experienced negotiation can be critical.

Threat actors are also extorting organizations to pay for their encrypted administrator-level credentials. And, increasingly, ransomware affects the backup files, as well, encrypting or otherwise making them unusable for data recovery.

The experts reported that more than 50% of the time backups had already been exploited.

To Pay or Not to Pay

Nevertheless, recovering from a viable and segmented backup repository is still the preferred method of the majority of experts rather than paying the bad guys.

In fact, reported time for business interruption is much longer for cases where the ransom is paid — lasting from three to 15 days. If backup is used, business interruption typically spans one to 10 days, experts say.

This was a bit of a surprising finding. Members advised that the negotiation process itself, as well as problems encountered with the unreliable decryption keys, have contributed to delays with the bitcoin payment path and extended the business interruption.

A Need for a Cyber-Ready Team

A continuing concern for handling ransomware remediation is the difficulty for SMEs to respond in a timely manner toward the essential task of paying larger amounts of bitcoin — or authorizing a third party to pay — for the ransom demand (averaging $100,000, but based on severity ranging from $400,000 to $8 million, according to group members) within the given timeline for response.

SME clients often don’t have the liquidity for these significant payments, even if their cyber insurer will reimburse them.

What’s more, SME-sized IT departments are often unprepared to deal with this type of business interruption and may at times lack a functional understanding of cyber policy coverages and the supporting claims process, which forces them to learn on the fly during the crisis — underscoring that preparation is key.

Finally, the expert group reported that leading cyber security deficiencies that continue to haunt organizations include the usual suspects: lack of multifactor authentication, lack of next generation anti-malware endpoint protections, open remote desktop protocols, unsegmented backups and lack of employee training.

One thing is certain: The ransomware scourge is no fleeting trend. Experts believe that it’s here to stay, inflicting damage as long as companies are willing to pay.

With the onset of COVID-19, ransomware attacks continue apace. While the nature of the attacks has altered slightly, their frequency has not, said Winston Krone, global managing director of Kivu Consulting.

See also: A Dangerous New Form of Ransomware  

The Ransomware Advisory Group will continue to stay on top of these threats so that carriers and their policyholders can defend against them.

Quick Takeaways for Cyber Carriers and Covered Entities:

  • Ensure that policyholders’ management has in place an actionable data breach incident response plan that can be accessed at a moment’s notice and includes vital third-party experts known to their cyber insurer.
  • Offer a loss control checklist for SMEs of some baseline must-have cyber security measures to mitigate ransomware, such as multifactor authentication (especially in O365), endpoint protections (example Crowdstrike’s Falcon Prevent), close remote desktop protocols, cloud-based backups and employee training.

You can find this article originally published here on riskandinsurance.com

5 Questions That Thwart Ransomware

This past summer was something of a perfect storm for small businesses, which weathered an increase in ransomware attacks, which in many cases started with an IT vendor or managed service provider (MSP).

Ransomware incidents reported to our company were up 37% in the third quarter when compared with the first three months of the year, and 24% were confirmed to be caused by a vendor or MSP.

Those statistics are bad news for small businesses that manage their IT resources with the help of a MSP and worse news for small businesses that outsource their entire IT operation to the MSP, which includes everything from building the network and managing applications to servicing any and all IT requests.

In fact, in the first nine months of last year, 63% of all the ransomware incidents reported to our breach response unit came from small businesses, many of which rely on an MSP. Why is that figure so high? MSPs make ripe targets for ransomware attacks.

They have to balance, on the one hand, a need for speed and convenience when it comes to being able to respond to clients and, on the other hand, the need to have the right security controls in place. Too often, speed and convenience win out over security controls.

For example, in many cases, MSPs have reused credentials across clients so that MSP employees can service multiple clients more quickly. Similarly, MSPs might not enable multi-factor authentication (MFA) on the remote access point they use to pivot to client environments.

See also: How Municipalities Avoid Ransomware  

In many incidents in the third quarter, attackers exploited the remote management application that connects the MSP to the client. The same MSP user account would log into multiple client environments and install ransomware. If the MSP had set up individual user accounts for each of its clients, it is more likely that the exploitation of the single set of credentials would have only enabled unauthorized access to a single client’s environment, diminishing the risk to their clients.

Further, an MSP user account often has to have full administrative access to assist with regular IT functions, so, when credentials were compromised, the attackers had full administrative access to clients’ environments.

So, why the increase in MSP ransomware attacks this summer? According to Bill Siegel, CEO and co-founder of ransomware response platform Coveware, hackers have found a way to magnify the attacks on MSPs. Specifically, developers of Sodinokibi ransomware are now using techniques employed originally by GandCrab ransomware to make the attacks on MSPs more profitable.

These MSP ransomware attacks over the summer exposed incident response challenges. For small businesses that completely rely on outsourced IT, a massive ransomware attack across clients draws on the MSP’s resources and inevitably leaves many businesses in the dark. Small business owners without a technical background struggle to understand and assist the external legal and forensics vendors who are hired to help them respond to the attack.

The response is further complicated when the MSP itself is also infected with ransomware. Where an attack group knows it has hit an MSP, and infected downstream clients, the group may refuse to negotiate with the end clients and instead only respond to the MSP to increase ransom demands. This tactic can also leave clients with little to no control over their data software recovery.

For all of these reasons, we urge small businesses to ask the following important questions when vetting a potential MSP:

  1. Is there a security program in place, including periodic risk assessments to identify areas for improvement?
  2. Is there continuing security awareness training across the organization?
  3. Is there a SSAE 18 SOC 2 Type II report or similar type of report available to customers, attesting to security control environment?
  4. If access to personally identifiable information or protected health information is necessary, how is this protected at the vendor (e.g. encryption, secure remote connections, restricted access, logging and monitoring)?
  5. Are security and availability requirements enforced in master service agreement contracts (e.g. sensitive data protection, up-time guarantee/service level agreements, security incident reporting/coordination, regulatory compliance requirements)?

Our third-quarter statistics clearly show that small businesses and MSPs are big targets for hackers. It is absolutely critical that small businesses are working hand-in-hand with all their IT vendors to prevent ransomware attacks from happening in the first place.

How Municipalities Avoid Ransomware

In today’s insurance marketplace, the benefits of technology cannot be overstated; however, the dark side of technology—namely ransomware attacks—is now infiltrating self-insured municipalities. Ransomware attacks occur when criminals find a way into the organization, encrypt as much data as possible and then extort money from you to get your own data back. If the ransom is not paid, the criminals may delete your data altogether.

There have been more than 170 ransomware attacks on U.S. state and local governments since November 2013, notes the technology security company Recorded Future. The costs to remedy these attacks are growing, and the belief that “it won’t happen to us” needs to be discarded.

In March 2018, the city of Atlanta had more than a third of its systems paralyzed by a ransomware attack. Recovery took more than a year, with costs estimated at $17 million. Baltimore, after refusing to pay an $80,000 ransom at the advice of law enforcement, recently approved $10 million in emergency funding to recover from a similar attack that immobilized some of the city’s systems, and services such as water billing are still offline, according to reports. Smaller cities, such as Lake City, FL, are also not immune: Recently, city administrators paid hackers a ransom of 42 bitcoins, or roughly $426,000.

See also: The Growing Problem of Ransomware  

Self-insured groups and public entities such as municipalities are among groups that particularly vulnerable, because they:

  • Operate within a significant regulatory environment;
  • Have data that others could steal and monetize (personally identifiable information such as Social Security numbers, HIPAA-related information and credit card numbers;
  • Have data that is critical and necessary to conduct business.

For captive insurers, property and casualty and workers’ comp carriers, lapses in cybersecurity can even affect mergers and acquisitions. According to security firm Forescout Technologies Inc., 53% of more than 2,700 global businesses surveyed report a critical cybersecurity issue putting an M&A deal in jeopardy.

“Unfortunately, it happens again and again to municipal systems that don’t have all the latest software, the latest protections or the highest-paid IT staffs,” Lee McKnight, an associate professor at Syracuse University’s School of Information Studies and an expert on cybersecurity, told USA Today.

I believe McKnight’s comment minimizes the essence of how self-insured groups and public entities such as municipalities actually work, because it’s not all about the latest software or highest-paid IT staffers. And protecting your organization from a ransomware attack does not necessarily require expensive next-generation firewalls, intrusion prevention systems or “security as a service” systems.

What it does require is common-sense due diligence, a clear line of responsibility for technology systems, a plan that holds all partners and vendors to the same security requirements, a secure cloud platform and, should the worst possible case occur, an incident response system.

Even with those elements in place, it’s still important to assess your actual risk against a ransomware attack. Actual risk includes more than just data housed on a server; it includes reputational/brand risk and the impact of losing trust from partners/vendors and members/customers as a result of an attack. To assess your relative risk to a ransomware attack, consider your organization’s size, the number of cities and counties with which you do business and the cybersecurity measures your currently employ. Assess your own risk tolerance—the potential damage to your organization that hackers could inflict… and assess the cybersecurity countermeasures you currently have in place.

When viewing your organization’s vulnerabilities in this way, it becomes clear that inaction is no longer an adequate response.

See also: Ransomware Threat Growing for Phones  

By creating a culture of alert self-monitoring, a plan that makes employee safety training and security safeguards a priority and a strategy that involves all stakeholders, including technology solution providers, you diminish your chances of being vulnerable to a ransomware attack.

Cyber: The Spectre of Uninsurable Risk?

It’s been an awfully eventful start to the New Year. In case you’ve missed the news, two major security flaws have been discovered in the processors that power nearly all of the world’s computers. The two techniques discovered to exploit these flaws, nicknamed Meltdown and Spectre, could allow hackers to steal data and secrets from any vulnerable computer, including mobile devices. Because the flaws are with the computer processor itself, any software platform running on top of an affected processor is potentially vulnerable.

If by this point you’ve tired of hearing about technology vulnerabilities, this one is different (but also mostly the same, as I’ll get to a bit later). For one, this isn’t a software bug like you might find in your operating system or browser. Nor is it a physical defect in the processor itself. Meltdown and Spectre aren’t really “bugs” at all. Instead, they represent methods to take advantage of the normal ways that many processors work for the purpose of extracting secrets and data. More important, though, is the magnitude of the impact. By comparison, the WannaCry and NoPetya ransomware attacks wreaked global havoc exploiting vulnerabilities that are believed to have affected ~400,000 computers versus the estimated 2 billion computers susceptible to Meltdown and Spectre.

See also: New Approach to Cyber Insurance  

The timing of these events could hardly come at a more interesting time for the cyber insurance industry. Only a few days prior, in an interview with the Financial Times, Christian Mumenthaler, CEO of Swiss Re, one of the world’s largest reinsurers, wisely questioned the very insurability of cyber risk due to the possibility for accumulation risk—the possibility that a cyber event could hit many insurance policyholders at the same time, by the same attack, resulting in huge potential claims payouts.

Sound familiar?

Cut the FUD

As we’ve discussed before, we now live at a time where a cyber attack, technology failure or human error can cause everything from data theft to supply chain disruptions, hospital shutdowns, hotel room lockouts, blackouts and even nuclear centrifuge explosions—literally the entire spectrum of known risk. That these events could even theoretically occur on a massive scale, and all at once, is certainly cause for alarm—it would indeed pose a serious accumulation risk and eliminate one of the core pillars of insurability.

However, it would be mistaken to assume that such a scenario, as in the case of Meltdown and Spectre, is anything more than FUD (fear, uncertainty and doubt). This is hardly to say that the discovery of these security flaws is much ado about nothing. On the contrary, they pose a very real threat and may well open the door to serious cyber attacks. However, as with the headline-grabbing ransomware attacks of 2017, there are many reasons to believe that subsequent losses will be relatively contained.

Hierarchy of Cyber Security

To understand why, it’s helpful to understand the hierarchy of cyber security. At the base are vulnerabilities in all their forms (software, humans, even processor architectures). That the base is bounded is misleading because, in reality, there are an infinite number of vulnerabilities that can and will exist. However, vulnerabilities only matter if they pose a threat to an organization. This combination of threat and vulnerability is generally the risk an organization faces. Even then, threats don’t matter unless someone proceeds to attack you. And that someone at the top of the pyramid is, 10 out of 10 times, a human actor. Why does this matter?

It matters because cyber attacks are really just forms of cybercrime, which itself is merely a form of crime—it is the people, not the form, that matter. There are costs for criminals to launch attacks, and not just the risk of being caught (which for the moment is abysmally low). Criminals require time, infrastructure and money to fund their enterprises, enumerate targets and move through the kill chain toward the realization of their desired outcomes. All the while they must also factor in the uncertainty of achieving the outcome.

Exploits for security flaws can accomplish many things, but few produce cash.

Every step in this chain takes effort. Although cyber criminals are becoming more numerous and sophisticated, they are still limited in how much damage they can cause and profit they can reap. As a result, even though an entire population may be vulnerable, the economically optimal strategy for an attacker is nonetheless to focus on a relatively small set of victims.

Cyber insurance is dead. Long live cyber insurance!

Although there is little doubt that certain accumulation scenarios exist, limiting the insurability of certain cyber risk exposures, this is not one of them. Absent an expertise in hacking and cybercrime—and the economics thereof—it is no surprise that many insurers offering cyber insurance struggle to understand, much less manage, accumulation risk. It’s high time they woke up.

See also: Cyber Insurance Needs Automated Security  

Insurers must come to realize the role that insurance plays in protecting companies from all forms of risk that accompany the digitization of everything. It also means thinking about cyber insurance as more than just coverage for data breach and response. The most recent devastating attacks have resulted in business and supply chain interruption, and even physical property damage. It is hardly a stretch to imagine exposure to nearly every other form of known risk, including bodily injury or even pollution. Of course, with new exposures come new challenges in underwriting and management of accumulation.

Overcoming these challenges won’t be easy. It will mean using data in an entirely novel way to not only assess the risk of an individual policyholder, but an entire population of policyholders, and doing so on a continuous basis. It will also mean measuring diversity, and particularly technological diversity, to manage accumulation in novel ways. How many insurers today know which cloud service provider their clients use, much less which versions of software they are running? Or whether their clients’ passwords have been compromised in a third-party data breach? If you don’t know these answers, you’re in trouble. Gone are the days when accumulation will be managed by geography, industry and revenue size. Are we up to the challenge?

Long live cyber insurance.

How to Immunize Against Cyber Attacks

Cyber-attacks see no signs of abating. In fact, deadly threats such as ransomware and malware have now become mainstream. Enterprises have no option but to expect cyber-attacks as a fact of life. They need to make their systems immune from such attacks.

The State of Cyber Attacks

Cyber-attacks increase in magnitude and scale with every passing day. A case in point is the WannaCry ransomware, which wreaked havoc in more than 200,000 systems across 150 countries in the world, during May 2017. This attack, the largest ransomware delivery campaign to date, held up everything from surgical operations to public information display systems, and from government initiatives to corporate work. And WannaCry is just one example. More than 4,000 ransomware attacks have taken place since the start of 2016.

Ransomware damages will touch $5 billion by the end of 2017, a 15X increase from the damage levels just two years ago!

Data-encrypting ransomware such as WannaCry is socially engineered malware. The hackers trick unsuspecting victims in many ways to install Trojan horse programs. They may:

  • Compromise an otherwise trusted site on a temporary basis, to offer a malicious download link.
  • Arrive as a rogue friend or application install request through mainstream social media.
  • The innovation of their attacks is matched only by the ingenuity in the ways they breach the network.

Close on the heels of socially engineered malware are password phishing attacks. A good proportion of the unsolicited emails try to pry out login credentials from gullible account holders. Despite the best anti-spam software, good phishing replicas of legitimate emails slip in. All it takes is a single careless employee for the hackers to breach the corporate network.

Countermeasures

Cybersecurity has been fighting a losing battle against cyber attackers for many years now.

Traditional security approaches, such as firewalls and antivirus suites, are now inadequate to protect against the entire gamut of attacks. Many enterprises realize this fact and now invest heavily in security. Gartner estimates information security spending to exceed $86.4 billion in 2017. However, many enterprises go after the latest tools and technologies, while neglecting the basics.

See also: Quest for Reliable Cyber Security  

Time-tested basic security hygiene is the basics of any countermeasure against cyber threats. Some of the basics include:

  • Installing advanced anti-malware suits
  • Regular patching and updating key software
  • Regular data backups
  • Controlled access to resources within the network
  • An Enterprise-wide whitelist of authorized apps and software.
  • Strong two two-factor authentication (2FA), with smartcards, biometrics, or OTP through SMS.

Another key component of basic security hygiene is training users on safe browsing. The ideal end-user education is ongoing. It covers the latest threats, and make employees aware of what to do in the face of various eventualities.

However, all these basics serve only as a foundation on which to construct sound security architecture for the enterprise. These basics alone are no longer effective in keeping cyber criminals at bay.

Patch Management: Vital for online security

Socially-engineered malware such as WannaCry spread across the organizational network without user interaction. The malware exploits latent vulnerabilities in the operating system of application software. Browser add-on programs such as Adobe Reader are especially rife with vulnerabilities, and hackers exploit it at will. In WannaCry’s case, the malware exploited “EternalBlue,” a known Microsoft Windows vulnerability.

Software vendors and cyber criminals are locked in a never-ending battle. Cyber criminals are always looking to unearth some vulnerability. The “good guys” try to beat cyber criminals to the game, to identify vulnerabilities before cyber criminals discover it first. Either way, the software developer releases a patch as soon as the vulnerability becomes known.

But, it is rare to find any enterprise with perfectly patched software. Enterprises do not install the patch updates even when one becomes available, owing to many reasons, such as:
Operational constraints and exigencies
Concerns about whether a newly patched version would contain some other bugs, rendering the system unstable.

Continuous Monitoring: Around the clock website check-ins

Today’s cyber criminals are sophisticated, and the attacks they launch are unpredictable.

Enterprises would do well to ensure continuous monitoring of the network environment. They would also do well to manage the implemented security controls on a proactive basis.

An effective network monitoring system offers end-to-end visibility of the network traffic. It:

  • Understands legitimate traffic patterns in the network, and issues prompt alerts when discovering unexpected traffic flows.
  • Triggers automated responses, such as shutting down the network, or blocking the user, on detecting anomalies.
  • Integrates threat intelligence capabilities, aggregating threat information from multiple sources.

Large enterprises could consider setting up an in-house security operations center, with robust incident response capabilities. Smaller firms could consider enlisting the services of a managed security services provider, to monitor their network and respond to incidents in real-time. Either way, proactive network monitoring is essential to keep the network safe.

See also: Paradigm Shift on Cyber Security  

Security Assessment: Third party independent security reviews

Network security does not work in isolation. An effective security set-up offers tight integration, without leaving any loose ends. Enterprises would do well to conduct a thorough security audit to ensure such a state.

A sound and comprehensive review compare the existing state of cybersecurity with best practices, in terms of:

  • The integration of basic and advanced controls to the security architecture
  • Integration of the existing security environment architecture with the business and IT vision
  • How the security framework leverages latest technologies, such as Machine learning, behavior analysis, and threat modeling, to detect and mitigate identified threats
  • The scalability of the security architecture to defend against future threats
  • The preparedness of the architecture to deliver Intelligent and flexible responses

The state of cybersecurity is fluid. Enterprises need to adopt an adaptive and evolving approach the security. They need to re-evaluate security processes, practices, policies, platforms, and tools, on a regular basis.

With cybercrime damage estimated to touch $6 trillion annually by 2021, the stakes have never been higher.